Teen exposes security vulnerability in Ledger hardware wallet

Teen exposes security vulnerability in Ledger hardware wallet

Cryptocurrency hardware wallet Ledger has been found to contain a major security flaw, which could enable hackers to steal funds from users through a variety of different methods.

The exploit was identified by a teen digital security expert, Saleem Rashid, earlier this week and undermined Ledger’s claims to be ‘tamper-free.’

Upon discovering the exploit, Rashid contacted Ledger CTO Nicolas Bacca to report his findings. The flaw theoretically allows retailers and resellers to load compromised firmware, which would be successfully verified by the device via its connection to the Secure Element.

As soon as the compromised device is used for storing cryptocurrency, the hacker could then successfully recall the relevant private keys, which would effectively allow them to walk away with the contents of the wallet.

According to Rashid, his initial referral of the security flaw was dismissed by the firm, who refused to engage seriously with his recommendations. Nevertheless, a firmware update was released, which went on to attract further criticism from the teenager.

The findings have divided opinion amongst the cryptocurrency community, with some users suggesting the flaw wasn’t as serious as Rashid had initially suggested.

Responding to user comments on Reddit, Ledger CEO Eric Larchevêque described Rashid’s technical report into the flaw, published on his blog, was ‘a massive FUD’, and disclosed as a reaction to the firm’s unwillingness to treat his findings seriously.

“Saleem got visibly upset when we didn’t communicate as ‘critical security update’ and decided to share his opinion on the subject,” the Ledger CEO said.

Ledger subsequently published an update, explaining three separate security issues identified by a team of bounty programme researchers. Notably, Saleem Rashid was included amongst the three security experts working on the project—something Rashid himself has denied.

The move follows on from Rashid’s earlier work, most notably in identifying similar flaws with the TREZOR One device. The flaws identified in this case were more warmly received, and even garnered public praise for Rashid from the firm’s CEO.

Nevertheless, it seems not all hardware wallet manufacturers are as open to discussing security flaws with independent researchers like Rashid, and in any event, often less willing to release critical security updates to patch these flaws.

Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true  Bitcoin as intended by the original Satoshi white paper. Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.
Ledger announces native desktop apps

Ledger announces native desktop apps, sets roadmap for Android and iOS

French startup Ledger recently announced that it’s working on updates for its software, with plans to expand its suite of services for mobile devices in a bid to create a seamless, cross-platform experience for its users.

Despite being met with flaws and vulnerabilities in recent news, the hardware wallet company has pushed to recreate its software in such a way that it also addresses the need for well-designed user interfaces that will not confuse newer users of leading cryptocurrencies supported by the wallet.

In the announcement, Ledger has stated that it will begin to deprecate its Google Chrome extension first introduced in 2015. These Chrome apps only functioned natively with legacy Bitcoin (BTC) and Bitcoin Cash (with the CashAddr upgrade), while users of other cryptocurrencies such as Ethereum still had to open a new page whenever they do transactions with Ledger’s Chrome app. If a user had a portfolio with multiple cryptocurrencies, they had to manually install and open each one for Ledger’s firmware to work properly with the selected hardware.

Another note to explain this gradual demise for the 3-year-old Ledger Chrome extension would be how Google’s ChromeOS has been making inroads into app development and integration, making some previous extensions and web apps either redundant with Android apps or obsolete for the Chrome browser installed on a desktop.

Ledger’s initial release will feature native desktop applications for Windows, macOS, and major Linux distributions. Multiple cryptocurrencies will be supported on the apps, including Bitcoin Cash, Ethereum, Ripple, BTC, and 19 other cryptocurrencies. Ledger’s latest devices, such as the Ledger Nano S and the Ledger Blue, will be compatible with these apps. In case of new registrations, users with no physical Ledger wallets may still access their accounts on a read-only basis, with an option to password-protect the viewing access.

Once opened, the desktop apps will treat users to a dashboard view of all their assets, with information on current values from their cryptocurrency and exchange of choice. The desktop apps will retain the basic functions of a wallet: it will allow users to send, receive, and check their account balances, as well as examine the history of their transfers on the blockchain.

The apps will also function with Ledger’s proprietary address and transaction confirmation process (verified through keys on the hardware) before funds are released for transfer. With their introduction of desktop-class software, Ledger has also promised that the desktop apps will perform better in terms of account synchronization.

Ledger said its developers are hard at work with future updates that include applications for both Android and iOS, giving cryptocurrency users a full mobile experience with features such as spotlight search, transaction tags and notes and third party app support through API integration, as well as support for more cryptocurrencies and Ethereum ERC-20 tokens with the Ledger Nano S.

The hardware wallet company is also working on a new version of the Ledger Manager platform, and will release it to Google Chrome, Opera, and Chromium for open source extensibility. The platform will allow Ledger users to access their account details with a web-based solution involving direct device communication through a USB port.

For users who opt for the desktop apps, the new apps will have its own set of USB drivers. However, the startup notes that its deprecation of the Google Chrome extension would mean that native compatibility with Chromebooks will be suspended, pending the full integration of Android apps to the operating system.

Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true Bitcoin as intended by the original Satoshi white paper.  Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.
Ledger admits to possible wallet firmware flaw

Ledger admits to possible wallet firmware flaw

In a recent article written as a how-to, Medium blogger Paris Cormier described a set of instructions on how to successfully infiltrate a Ledger wallet. The instructions, which followed a fully-detailed Docdroid.netdisclosure,were posted for educational purposes to prevent the hack from being replicated and protect users who may fall victim to it.

The hardware wallet company acknowledged this vulnerability in their product with a tweet claiming that the “man in the middle attack” can be mitigated by verifying the receive address on the device’s screen. This is done by clicking the “monitor button” found in the wallet’s interface.

Following a report from news.bitcoin.com last month in which a man’s life savings were stolen from a hardware wallet supplied by a reseller, the news that Ledger’s hardware wallets are vulnerable has been met with anger from cryptocurrency users. The man described in the report is Redditor u/moodyrocket, who claimed that he has “[…] not used my Ledger in a week, today I decide to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm. I am not sure how this is possible as I have not access my Ledger in a week.”

Cormier’s guide describes Ledger wallets as “one of the many that generate new public keys for each receiving transaction.” Such transactions are done by executing JavaScript code which runs from the client-side. According to the guide, “This means that malicious code can easily replace the automatically generated receiving address with a hacker’s.”

Given how public keys are changed regularly, users may not suspect any issues that would arise from this process. Users also have no viable method to verify the validity of the receiving address, without resorting to external or third-party applications to manually verify addresses.

Here’s an illustration of the hack as posted by @LedgerHQ on Twitter:

Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true  Bitcoin as intended by the original Satoshi white paper.  Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.